[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927)

* [Rule Tuning] Fix MS Defender XDR tag

* bump upodated_date

rules/windows/execution_initial_access_foxmail_exploit.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/08/29"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/07"
 
 [rule]
 author = ["Elastic"]
@@ -40,7 +40,7 @@ Foxmail, a popular email client, can be exploited by adversaries to gain initial
 - Examine the arguments of the spawned process to verify if they point to a suspicious temporary directory, as indicated by the query pattern (e.g., paths under "?:\\Users\\*\\AppData\\*").
 - Investigate the contents of the identified temporary directory for any unusual or malicious files that may have been executed.
 - Check the email logs and Foxmail client activity to identify any recent emails that could have contained malicious attachments or links leading to the exploitation attempt.
-- Correlate the event with other security alerts or logs from data sources like Elastic Defend, Sysmon, or Microsoft Defender for Endpoint to identify any related suspicious activities or patterns.
+- Correlate the event with other security alerts or logs from data sources like Elastic Defend, Sysmon, or Microsoft Defender XDR to identify any related suspicious activities or patterns.
 - Assess the risk and impact on the affected system by determining if any unauthorized changes or additional malicious processes have been initiated following the initial alert.
 
 ### False positive analysis
@@ -75,7 +75,7 @@ tags = [
     "Data Source: Windows Security Event Logs",
     "Data Source: Elastic Endgame",
     "Data Source: SentinelOne",
-    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Microsoft Defender XDR",
     "Data Source: Crowdstrike",
     "Resources: Investigation Guide",
 ]